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NETWORK FINGERPRINTING 



FIELD OF THE INVENTION 

[0001] This invention pertains generally to computer 
networks and, more particularly, to computer network identity. 

BACKGROUND OF THE INVENTION 

[0002] Modern computers communicate with each other over a 
variety of computer networks. Mobile computers may utilize 
several computer networks in a day. Even fixed-location 
computers may have access to multiple computer networks, for 
example, to achieve increased reliability through redundancy, 
to take advantage of cost differentials between computer 
networks, or for changing communications security requirements. 
[0003] A computer, a computer operating system, and/or a 
communications application may need to change its configuration 
based upon the computer network or networks to which it is 
connected. Some conventional methods of differentiating 
between computer networks are ad hoc or limited to particular 
network types. In a modern heterogeneous networking 
environment, this may result in configuration inconsistencies 
and, ultimately, confusion and frustration for users of 
computer systems. 

[0004] Some conventional methods of differentiating between 
computer networks provide ambiguous results without providing 
information regarding the level of ambiguity. Such methods may 
be unsuitable, particularly for security conscious 
applications. In addition, it may be that access to network 
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services is denied, for example, for security reasons, until 
the level of ambiguity is sufficiently low. As a result, it is 
desirable that network disambiguation be fast and efficient. 

BRIEF SUMMARY OF THE INVENTION 

[0005] This section presents a simplified summary of some 
embodiments of the invention. This summary is not an extensive 
overview of the invention. It is not intended to identify 
key/critical elements of the invention or to delineate the 
scope of the invention. Its sole purpose is to present some 
embodiments of the invention in a simplified form as a prelude 
to the more detailed description that is presented later. 
[0006] In an embodiment of the invention, one or more 
connections are established to one or more computer networks. 
A network identifier may be issued for each computer network. 
An identity confidence may be determined for each issued 
network identifier with respect to one or more current computer 
networks . 

[0007] In an embodiment of the invention, a first set and a 
second set of identity confidences are determined. Determining 
the first set of identity confidences includes applying one or 
more of a set of learned identity confidence modifiers to one 
or more of the identity confidences of the first set. 
Determining the second set of identity confidences includes 
applying one or more of a set of active network attribute 
identity confidence modifiers to one or more of the identity 
confidences of the second set. The set of learned identity 
confidence modifiers may be adjusted so that if the first set 
of identity confidences were to be re-determined then 
differences between the re-determined first set of identity 
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confidences and the second set of identity confidences would be 
minimized. 

[0008] In an embodiment of the invention, a computerized 
system includes a network fingerprinting component. The 
network fingerprinting component may be configured to issue one 
or more network identifiers for one or more computer networks. 
The network fingerprinting component may be configured to 
maintain a set of issued network identifiers. The network 
fingerprinting component may be further configured to maintain 
a set of current identity confidences. The set of current 
identity confidences may include an identity confidence for 
each issued network identifier with respect to one or more 
current computer networks. 

BRIEF DESCRIPTION OF THE DRAWINGS 



[0009] While the appended claims set forth the features of 
the invention with particularity, the invention and its 
advantages are best understood from the following detailed 
description taken in conjunction with the accompanying 
drawings, of which: 

[0010] Figure 1 is a schematic diagram generally 
illustrating an exemplary computer system usable to implement 
an embodiment of the invention; 

[0011] Figure 2 is a schematic diagram illustrating 
computers variously connected by computer networks; 
[0012] Figure 3 is a schematic diagram illustrating an 
example high level systems architecture in accordance with an 
embodiment of the invention; 
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[0013] Figure 4 is a schematic diagram illustrating an 
example network fingerprinting component architecture in 
accordance with an embodiment of the invention; 
[0014] Figure 5 is a flowchart depicting example steps for 
responding to a request for network identifiers in accordance 
with an embodiment of the invention; 

[0015] Figure 6 is a flowchart depicting example steps for 
determining current identity confidences for a computer network 
in accordance with an embodiment of the invention; 
[0016] Figure 7 is a flowchart depicting example steps for 
applying passive network attribute identity confidence 
modifiers to current identity confidences in accordance with an 
embodiment of the invention; 

[0017] Figure 8 is a flowchart depicting example steps for 
applying learned identity confidence modifiers to current 
identity confidences in accordance with an embodiment of the 
invention; 

[0018] Figure 9 is a flowchart depicting example steps for 
applying active network attribute identity confidence modifiers 
to current identity confidences in accordance with an 
embodiment of the invention; 

[0019] Figure 10 is a flowchart depicting example steps in 
accordance with an embodiment of the invention for updating 
learned identity confidence modifiers as a result of newly 
available active network attributes; and 

[0020] Figure 11 is a flowchart depicting aspects of Figure 
10 in more detail . 
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DETAILED DESCRIPTION OF THE INVENTION 

[0021] Prior to proceeding with a description of the various 
embodiments of the invention, a description of a computer in 
which the various embodiments of the invention may be practiced 
is now provided. Although not required, the invention will be 
described in the general context of computer-executable 
instructions, such as program modules, being executed by a 
computer. Generally, programs include routines, objects, 
components, data structures and the like that perform 
particular tasks or implement particular abstract data types. 
The term "program" as used herein may connote a single program 
module or multiple program modules acting in concert. The 
terms "computer" and "computing device" as used herein include 
any device that electronically executes one or more programs, 
such as personal computers (PCs), hand-held devices, multi- 
processor systems, microprocessor-based programmable consumer 
electronics, network PCs, minicomputers, tablet PCs, laptop 
computers, consumer appliances having a microprocessor or 
microcontroller, routers, gateways, hubs and the like. The 
invention may also be employed in distributed computing 
environments, where tasks are performed by remote processing 
devices that are linked through a communications network. In a 
distributed computing environment, programs may be located in 
both local and remote memory storage devices. 
[0022] Referring to Figure 1, an example of a basic 
configuration for the computer 102 on which aspects of the 
invention described herein may be implemented is shown. In its 
most basic configuration, the computer 102 typically includes 
at least one processing unit 104 and memory 106. The 
processing unit 104 executes instructions to carry out tasks in 
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accordance with various embodiments of the invention. In 
carrying out such tasks, the processing unit 104 may transmit 
electronic signals to other parts of the computer 102 and to 
devices outside of the computer 102 to cause some result. 
Depending on the exact configuration and type of the computer 
102, the memory 106 may be volatile (such as RAM), non-volatile 
(such as ROM or flash memory) or some combination of the two. 
This most basic configuration is illustrated in Figure 2 by 
dashed line 108. 

[0023] The computer 102 may also have additional 
features/functionality. For example, computer 102 may also 
include additional storage (removable 110 and/or non-removable 
112) including, but not limited to, magnetic or optical disks 
or tape. Computer storage media includes volatile and non- 
volatile, removable and non-removable media implemented in any 
method or technology for storage of information, including 
computer- executable instructions, data structures, program 
modules, or other data. Computer storage media includes, but 
is not limited to, RAM, ROM, EEPROM, flash memory, CD-ROM, 
digital versatile disk (DVD) or other optical storage, magnetic 
cassettes, magnetic tape, magnetic disk storage or other 
magnetic storage devices, or any other medium which can be used 
to stored the desired information and which can be accessed by 
the computer 102. Any such computer storage media may be part 
of computer 102 . 

[0024] The computer 102 preferably also contains 
communications connections 114 that allow the device to 
communicate with other devices such as remote computer (s) 116. 
A communication connection is an example of a communication 
medium. Communication media typically embody computer readable 
instructions, data structures, program modules or other data in 
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a modulated data signal such as a carrier wave or other 
transport mechanism and includes any information delivery 
media. By way of example, and not limitation, the term 
"communication media" includes wireless media such as acoustic, 
RF, infrared and other wireless media. The term "computer- 
readable medium" as used herein includes both computer storage 
media and communication media. 

[0025] The computer 102 may also have input devices 118 such 
as a keyboard/keypad, mouse, pen, voice input device, touch 
input device, etc. Output devices 120 such as a display, 
speakers, a printer, etc. may also be included. All these 
devices are well known in the art and need not be described at 
length here. 

[00261 In the description that follows, the invention will 
be described with reference to acts and symbolic 
representations of operations that are performed by one or more 
computing devices, unless indicated otherwise. As such, it 
will be understood that such acts and operations, which are at 
times referred to as being computer-executed, include the 
manipulation by the processing unit of the computer of 
electrical signals representing data in a structured form. 
This manipulation transforms the data or maintains it at 
locations in the memory system of the computer, which 
reconfigures or otherwise alters the operation of the computer 
in a manner well understood by those skilled in the art. The 
data structures where data is maintained are physical locations 
of the memory that have particular properties defined by the 
format of the data. However, while the invention is being 
described in the foregoing context, it is not meant to be 
limiting as those of skill in the art will appreciate that 
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...ious o. .he act. and operation described .ereina.te. .ay 
also be implemented in hardware. 
00,7. - example of a computer networking environment 

suitable for incorporating aspects of the invention xs 
suitaDie example computer 

described with reference to Figure ^ on9 204 

. ^ 9nn includes several computers 202, 204, 

networking environment 200 includes 

oir^ 919 214 216, 218 (e.g., each may be tne 
206, 208, 210, 212, 214, ^lo, Piaure 1) 

. . 102 as described above with reference to Figure 
computer 102 as desc ^^^^^^^^ ^^^^^^^^ 

communicating with one another over 

220 222 224, 226, 228, each represented by a cloud. Each 

/ W 220 222 224, 226, 228 may include many well- 
computer network 220, 222, , 

..on.nts such as routers, gateways, hubs, etc. ana y 
known components, sucn a oi9 214 216, 218 

allow the conputer. 202. 204, 20S, 20B, 
to co^nunicate via wired and/or wireless .ed.a. ^en 
interacting with one another over computer " ^ " 
224 22., 228. one or ™ore o£ the computers 202, 204, 

„' 1 214 216. 218 n,ay act as clients, servers or peers 
h pe t - otLer counters 202. 204, 20., 203, 210, 212. 
1 2ie. accordingly, the various e..odi.ents o. the 
. oracticed on clients, servers, peers or 

ixiirtrer:::: even thou. speci.c — — 

.erein .y not r^r^networ. 
,0028, The cc^uter 2 2 3 ^^^^ ^^^^^^^^^ 

,20 An authentication (Auth.) server 

.^v,ork 220 Authentication servers are known in 
the counter network 22 highlighted here, 

the art, so only some o th r ^ ^^^^^^^^^ 

-fafare:^^^^^^^^^ ^-^^ 
covenant executing on the computer, ^^^^^^^^^ 

^^>-iHr(=s for example, issuing 
authentication services, iol f ^ ^ . locally 

tokens to conputers that successfully authenticate or locally 
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maintaining an authoritative authentication state. A computer 
„et„o.K policy, for exan^le a security policy, require that 
a computer successfully authenticate before being 
further access to network services and resources such as f.les. 
databases, directories, printers and so on. A Microsoft 
«i„dows« XP server configured as a domain controller rs an 
example of an authentication server. 
r„ The con^uter network 220 is connected to the computer 
network 222 by a firewall 206. Firewalls are known in the art. 
eo only some of their features are highlighted here. The 
firewall 206 is a type of con^uter (typically having a frrewall 
application or operating system con^onent executing on the 
c»puter, that enforces a computer network traffic pol.cy^ for 
exa^le a security policy, with regard to co^uter network 
traffic arriving at the firewall. For example, the firewall 
,06 may permit some types of computer network traffic to pass 
from the computer network 222 to the computer network 220 but 
block other types. 

,0030, The computer 208 is connected to the computer network 

The authentication server 210 is also connected to the 
computer network 224. The counter network 224 is c---^;; 
,be computer network 222. The computer 212 is connected to the 

. V The computer network 226 is connected to 

computer network 226. The compuc 

the coo^uter network 222. The cloud representing computer 
network 222 is larger than the clouds representing computer 
networks 220. 224. 226 and 22S to indicate that the computer 
network 222 is a conputer network over which other computer 
networks coo^unicate (i.e., is an inter-network,, for example, 
the computer network 224 and the computer network 226 
co-unicate over the computer network 222. The compu 2 4 
connected to the computer network 222. The computer 216 and 
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the computer 218 are connected to the computer network 228. 
The computer network 228 is not connected to the other computer 
networks 220, 222, 224, 226 of Figure 2. 
[00311 Figure 3 depicts an example high level systems 
architecture suitable for incorporating aspects of the 
invention. Applications 302 take advantage of network services 
304 through a network application programming interface (API) 
306. The network API 306 includes a network location awareness 
(NLA) component 308. The NLA component 308 includes a network 
fingerprinting component 310. 

10032] Network services 304 include basic computer network 
services such as the establishment and maintenance of 
communication connections 114 (Figure 1) . Network services 304 
include services provided by low level communications devices 
and protocols such as devices and protocols in accordance with 
the institute of Electrical and Electronics Engineers (IEEE) 
802. IX series of communications standards, the Internet 
protocol (IP) , the transmission control protocol (TCP) , for 
example. Network services 304 may further include computer 
network infrastructure services such as the services provided 
by the dynamic host configuration protocol (DHCP) , the Internet 
domain name system (DNS) and the like. Network services 304 
may also includes higher level communications services such as 
those provided by a distributed component object model (DCOM) 
and the like. Each of these network service examples is well 
known in the art and need not be detailed here. For details of 
an example distributed component object model see the DCOM 
section of the Microsoft® Developer Network (MSDN®) Library. 
[00331 Network application programming interfaces are known 
in the art. Windows Sockets 2 (Winsock) , as detailed in the 
Windows sockets 2 section of the February 2003 Microsoft® 
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...... r.r:.rrrr 

306. The neuw ^„.t-ors computer network 

, ,T,T -in*; -re-trieves and monitors cowy 
network API 306 retrieve computer network 

attributes through the nee _ ^ ^ fication of 

„.«o* loction awareness ^^^^^^J^.s Ne»o.K location 
„s .o ..e ..s .ea...es are 

WehUghted here. Fo ^^^^^^^^^ 

.rareness ^^^^^^^ ,o„3 Microsoft^ Windows^ 

Dvnvider section or cne 

Proviaex . . ^>,e msdN® Library. 

PXatfor™ SDK docu.entat.on xn the MSDN ^^^^ ^ 

,00341 E=ca^les of computer networlc attr 

. J ™„r,itored by the NLA component 308 mciu 
retrieved and monitorea ,,„„rers for exainple, 

,evel communications device -—^J^^ po.nts 
media access control (MAC) addresses ^^ ^-^^ 
accordance with the IKEK 803.11 ser.e of w re 

oh^ndards Communications protocoi op 
co^unicat^ons standards^ and IP subnet specifications 

parameters su^ as J d ^^^^^^^^ ^ 

may also be retriev ^..^i^utes may include 

.dditional co^uter e - a^^^^^^^ 

infrastructure service gateways, DHCP 

as the networ. address, f au^^ .^^^^ _ 

"i:: rdlin nlme, server names, uni.e 
well as authentication ,,niaue identifiers 

3erver identifiers, for example, ^^'^'^'^^ ITLfor networ. 

and the physical location ' 

elements, for example, ^ f^^^;^ l..or any 

system. The NLR component 308 may 



LVM 223294 

MS 301726.01 

12 

suitable network services 304 configuration or operating 
parameter . 

[00351 The NLA component 308 may retrieve parameters 
directly from the network services 304 or through the network 
API 306. computer network attributes such as network services 
304 configuration and operating parameters may be classified as 
passive or active. In an embodiment of the invention, computer 
network traffic, for example, a pair of request and response 
^ssages, is generated by the NLA component 308 when retrieving 
active network attributes (ANA) , but retrieving passive network 
attributes (PNA) does not generate computer network traffic, 
communication media connected status, IP address, IP subnet and 
default gateway network address are each exa„«,les of passive 
network attributes, m an embodiment of the invention, passive 
network attributes are computer network attributes that are 
present prior to the establishment of an active communications 
connection. Exar,^las of active network attributes include 
authentication state (e.g., from an authoritative remote 
authentication server) and other network service attributes 
maintained by remote network service providers, in particular, 
remote network service presence. It may take the NUV component 
308 more time to retrieve and/or detect changes in active 
network attributes than passive network attributes. 
[00361 Different computer networks may have some of the same 
con^uter network attributes. For example the computer network 
220 and the computer network 228 of Figure 2 may utilize the 
same private IP subnet (e.g., 192.168.1.0/24). The computer 
network attributes of a particular computer network may change 
over time. For example, the number of wireless access points 
in the computer network 226 (Figure 2) may change over time. 
These characteristics of computer networks are part of the 
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reason why it may be a challenge to unambiguously determine an 
identity of a particular computer network. 

[0037] The network fingerprinting component 310 determines a 
computer network identifier (NID) , e.g., a QUID, for each 
computer network of which the network location awareness 
component 308 becomes aware. In an embodiment of the 
invention, the network fingerprinting component 310 further 
determines a level of confidence for each network identifier 
(an ^^identity confidence") with respect to various computer 
networks. The identity confidence of a particular network 
identifier may be a probability of correct identification of 
one of the computer networks of which the network location 
awareness component 308 is aware. For example, the identity 
confidence may have a value between a minimum identity 
confidence value (e.g., 0%) and a maximum identity confidence 
value (e.g., 100%) . The identity confidence may have values on 
a quantized scale such as a scale of 0 (no confidence) to 5 
(highest confidence) . 

[0038] The identity confidence of a particular network 
identifier may be based upon comparison of current and previous 
sets of network attributes. The network fingerprinting 
component 310 may have access to each network attribute 
retrieved by the network location awareness component 308. The 
network fingerprinting component 310 may subscribe to changes 
to network attributes monitored by the network location 
awareness component 310. It may be that some computer networks 
do not possess particular computer network attributes that may 
be utilized as part of determining identity confidence, for 
example, some computer networks may not include an 
authentication server. One or more of the highest levels of 
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identity confidence may not be available for such computer 
networks . 

[00391 in response to a request for an identity of one of 
the computer networks of which the network location awareness 
component 310 is aware, for example, a request generated by one 
of the applications 302, the network fingerprinting component 
310 may respond with a response set of network identifiers as 
well as the identity confidence of each network identifier. 
For example, the response set of network identifiers may be 
sorted in order of descending identity confidence of the 
network identifiers. In an embodiment of the invention, 
computers incorporating the network fingerprinting component 
310 may exchange information regarding identified networks 
(e.g., network identifiers) with their neighbors, enabling a 
shared network map. 

[0040] Figure 4 depicts an example network fingerprinting 
component 310 architecture in accordance with an embodiment of 
the invention. Data structures maintained by the network 
fingerprinting component 310 include a set of issued network 
identifiers 402, a set of issued passive network attributes 404 
and a set of issued active network attributes 406. Each issued 
network identifier may be associated with a set of passive 
network attributes and may be further associated with a set of 
active network attributes. The set of issued passive network 
attributes 404 may contain the sets of passive network 
attributes associated with the issued network identifiers 402. 
The set of issued active network attributes 406 may contain the 

sets of active network attributes associated with the issued 

network identifiers 402. 

[0041] Data structures maintained by the network 
fingerprinting component 310 further include a set of current 
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passive network attributes (PNA) 408 and a set of current 
active network attributes (ANA) 410. At a particular instant, 
each computer network connected to the computer (s) 
incorporating the network fingerprinting component 310 has a 
particular set of passive network attributes and a particular 
set of active network attributes. At that particular instant, 
those passive network attributes available to the network 
fingerprinting component 310 (i.e., available from the network 
location awareness component 308 of Figure 3 in this example) 
may be contained by the set of current passive network 
attributes 408. Those active network attributes available to 
the network fingerprinting component 310 at that particular 
instant may be contained by the set of active network 
attributes 410. 

[0042] Data structures maintained by the network 
fingerprinting component 310 further include a set of current 
identity confidences (CIC) 412, a set of passive network 
attribute (PNA) identity confidence modifiers (ICM) 414, a set 
of active network attribute (ANA) identity confidence modifiers 
(ICM) 416 and a set of learned identity confidence modifiers 
(LICM) 418. In an embodiment of the invention, a current 
identity confidence is determined for each issued network 
identifier by applying identity confidence modifiers to a base 
confidence (e.g., 0%). Passive network attribute identity 
confidence modifiers 414 may be applied to current identity 
confidences 412 when current passive network attributes 408 
match corresponding issued passive network attributes 404. 
Active network attribute identity confidence modifiers 416 may 
be applied to current identity confidences 412 when current 
active network attributes 410 match corresponding issued active 
network attributes 406. Learned identity confidence modifiers 
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«S ™ay ^ applied to current identity confidences 4.2 to 
.odifv eu..ent identity confidences ete^.n 
.dependentiy of cu.ent "^^^^^^^^ 

• ■; n^-i r-ated below or cieariy 
otherwise mdicacea ucx 

, r^t-hpr attributes may match it tne 

computer network and other attriD n^atching 

^v, o*-t-r-ihiite values is withm a matciixuy 
difference between the attribute vaiu 

tolerance . , 

■ .Hna that corresponding current passive network 
indicating that corr y identity confidences 

attributes 408 have changed since current identity 

last determined, or any suitable attribute change 
412 were last aecermiiic^f -ir^^r^ntitv 
indicator that helps avoid duplicate determinations of identity 

..t of active network attribute changed 
confidence. The set of active n 

. = mav include similar change indicators. 

rprsi:e „et„o.K att^i^utes identity confidence 
irf e.s 4, the cu..ent passive networ. attributes 40S, t.e 
Ssive Ltwo . att.i.utes changed indicators «0 and t.e 
ZL passive „et«o.. attributes 404 data 

• . ^ in oassive network attributes column. Each aac 

rr L tr:assive net., attributes coi„ .ave 

nac;«3ive network attriDuce. 
corresponding entry for each passive 

-v. -identitv confidence modifiers 416, 
active network attributes identity 

^ .r.^ive network attributes 410, the active 
the current active netw ^^^.^^ ^^^^^^^ 

attributes changed indicators 422 and the 

attributes 40e data structures are depicted in an active 



LVM 223294 

MS 301726.01 

17 

network attributes colun„. Each data structure In the active 
network attributes colu™ may have a corresponding entry for 
each active network attribute. The issued network identifiers 
402 the current identity confidences 412, the issued passrve 
network attributes 404, the learned identity confidence 
modifiers 41B and the issued active network attributes 406 are 
depicted in an issued network identifiers row. Each data 
structure in the issued network identifiers row may have a 
corresponding entry for each issued network identifier. As 
will be apparent to one of skill in the art, the data 
structures depicted in Figure 4 may be maintained in one or 
more tables of a relational database, for example. 
(00451 in an embodiment of the invention, a key use for 
network identifiers is as an index to network-dependent 
configurations and/or policies, for example, security poUcres. 
such configurations and policies may be referenced early rn an 
initialization of the computer incorporating the network 
fingerprinting conponent 310, for example, prior to enabUng 
any network interface hardware and/or coMnunication connectrons 
114 (Figure 1) . The network fingerprinting component 310 may 
receive requests for network identifiers frequently as part of 
the initialization, for example, 100 requests within 2 minutes. 
This computer initialization scenario is not necessarily the 
„cst in^ortant operating scenario for the network 
fingerprinting ccrponent 310 but it does help provide context 
for the following discussion with regard to methods of 
associating network identifiers with computer networks. 
[0046! Figure 5 depicts example steps in accordance w.th an 
e^cdiment of the invention that may be performed in response 
to a request for network identifiers. The steps depicted in 
Figure 5 may be performed for each computer network of which 
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the network location awareness component 308 is currently aware 
(each "current computer network") . One or more network 
identifiers may be added to the response set (returned) for 
each computer network with at least one network attribute of 
which the network location awareness component 308 is aware. 
[0047] The network fingerprinting component 310 typically 
subscribes to less than each of the network attributes of which 
the network location awareness component 310 is aware. For 
example, the network fingerprinting component 310 may subscribe 
to three passive network attributes such as network interface 
hardware MAC address, IP subnet and authentication domain name, 
and two active network attributes such as remote authentication 
server presence and authentication state with the remote 
authentication server. When the network location awareness 
component 310 initially becomes aware of, or retrieves an 
updated value for, the network attributes in which the network 
fingerprinting component 310 is interested, the network 
location awareness component 308 may pass the new or updated 
value to the network fingerprinting component 310. 
[00481 The network fingerprinting component 310 may add new 
or updated passive network attributes to the current passive 
network attributes 408 (Figure 4) and update corresponding 
passive network attributes changed indicators 420. The network 
fingerprinting component 310 may add new or updated active 
network attributes to the current active network attributes 410 
and update corresponding active network attributes changed 
indicators 422. The current passive network attributes 408 may 
become available for a particular computer network before the 
current active network attributes 410 become available. As a 
result, at step 502, the network fingerprinting component 310 
determines if the current active network attributes 410 for the 
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computer network have become available or if they are as yet 
undetermined (i.e., null). If the current active network 
attributes 410 for the computer network have become available 
{i.e., they are not null) then the procedure progresses to step 
504. Otherwise, the procedure progresses to step 506. 
[0049] At step 504, it is determined if the current active 
network attributes 410 (Figure 4) have changed since the 
current identity confidences 412 were last calculated, for 
example, by checking the active network attribute changed 
indicators 422. If the current active network attributes 410 
have changed then the procedure progresses to step 508 where 
the current identity confidences 412 are determined. 
Otherwise, step 508 may be skipped and the procedure may 
progress to step 510. 

[00501 At step 506, it is determined if the current passive 
network attributes 408 (Figure 4) have changed since the 
current identity confidences 412 were last calculated, for 
example, by checking the passive network attribute changed 
indicators 420. If the current passive network attributes 408 
have changed then the procedure progresses to step 508. 
Otherwise, step 508 may be skipped and the procedure may 
progress to step 510. 

[00511 At step 508, the current identity confidences 412 
(Figure 4) for the computer network are determined. Example 
steps for determining the current identity confidences 412 are 
described in more detail below with reference to Figure 6 . At 
step 510, it is determined if any of the current identity 
confidences 412 for the computer network have the maximum 
identity confidence value (e.g., 100%) . If one or more of the 
current identity confidences 412 for the computer network have 
the maximum value then the procedure progresses to step 512. 
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Otherwise the procedure progresses to step 514. At step 512, 
those issued network identifiers 402 with current Identity 
confidences 412 at the maxi™.™ value are added to the response 
set (are returned to the requester) . 

[00521 At step 514, it is determined if any of the current 
identity confidences 412 (Figure 4) for the computer network, 
have values above a minimum identity confidence response 
threshold (e.g., 50%). If one or more of the current identity 
confidences 412 for the computer network do have values above 
the minimum identity confidence response threshold then the 
procedure progresses to step 516. Otherwise, the procedure 
progresses to step 518. At step 516, those issued networlc 
identifiers 402 with current identity confidences 412 above the 
minimum identity confidence response threshold are added to the 
response set (are returned to the requester) . 

[00531 At step 51B, a new network Identifier is issued. For 
example, the network fingerprinting component may generate a 
new network identifier and add the new network identifier to 
the issued network identifiers 402 (Figure 4) . The values of 
the issued passive network attributes 404 and the issued active 
network attributes 406 associated with the new network 
identifier may be the values of the current passive network 
attributes 408 and the current active network attributes 410 
(respectively) utilized in determining the current identity 
confidences 412 for the computer network. The values of the 
current identity confidence and learned identity confidence 
modifier (s) associated with the new network identifier may be 
their respective default values. At step 520, the new network 
identifier is added to the response set (i.e., is returned to 
the requester) . The identity confidence returned for the new 
network identifier may be a special value not normally 
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returned, e.g., 0%, to indicate that it is a new network 
identifier (i.e., a previously unknown computer network) and 
not one of the previously issued network identifiers (i.e., one 
of the previously identified computer networks) . 
[0054] Figure 6 depicts example steps for determining 
current identity confidence values for a particular computer 
network in accordance with an embodiment of the invention. At 
step 602, each current identity confidence associated with the 
issued network identifiers 402 (Figure 4) is reset to an 
initial identity confidence value, for example, 0%. At step 
604, passive network attribute identity confidence modifiers 
414 are applied to each current identity confidence associated 
with issued passive network attributes 404 that match the 
current passive network attributes 408, An example procedure 
for applying passive network attribute identity confidence 
modifiers in accordance with an embodiment of the invention is 
described below with reference to Figure 7 . 

[0055] Having applied the passive network attribute identity 
confidence modifiers 414 (Figure 4) , the procedure progresses 
to step 606. At step 606, it is determined if the current 
active network attributes 410 for the computer network have 
become available or if they are as yet undetermined (i.e., 
null) . If the current active network attributes 410 have not 
become available, the procedure progresses to step 608. 
Otherwise, the procedure progresses to step 610. 
[0056] At step 608, the learned identity confidence 
modifiers 418 (Figure 4) are applied to corresponding current 
identity confidences 412 with values above a minimum learned 
modification identity confidence threshold (e.g., 20%). An 
example procedure for applying learned identity confidence 
modifiers in accordance with an embodiment of the invention is 
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described below with reference to Figure 8. Following step 
608, the current identity confidences 412 may be utilized, for 
example, as described above with reference to Figure 5. 
C00571 At step 610, active network attribute identity 
confidence modifiers 416 are applied to each current identity 
confidence associated with issued active network attributes 406 
that match the current active network attributes 410. An 
exanple procedure for applying active network attribute 
identity confidence modifiers in accordance with an errtoodiment 
of the invention is described below with reference to Figure 9. 
Following step 610, the current identity confidences 412 may be 
utilized, for example, as described above with reference to 
Figure 5. 

[0058] Figure 7 depicts example steps for applying passive 
network attribute identity confidence modifiers to current 
identity confidences in accordance with an embodiment of the 
invention. At step 702, a next issued network identifier (NID) 
from the set of issued network identifiers 402 (Figure 4) is 
selected as candidate network identifier. Each issued network 
identifier may be associated with one or more passive network 
attributes, e.g., PNA„ PNA. and PNA3. At step 704, a next 
passive network attribute (PNA) is selected as candidate 
passive network attribute. The candidate passive network 
attribute has entries in both the set of current passive 
network attributes 408 (the current value) and the subset of 
issued passive network attributes 404 associated with the 
candidate network identifier (the issued value) . For example, 
PNA. has a current value in the current passive network 
attributes 408 and an issued value associated with the 
candidate network identifier in the issued passive network 
attributes 404 . 
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r„„„, At step 706, the candidate passive network attribute 
C00591 At step ^ff^ibutes 408 (Figure 4) 

entry in the current passive network attributes 

^ the candidate passive network attribute entry 
is compared to the canaiua f fj„ in the issued 

associated with the candidate network identifier in the 
associatea wi between 
passive network attributes 404, If there 
L current passive network attribute value and the issued 
the current p procedure progresses 

passive network attribute vai 

L step 708. Otherwise, the procedure progresses to step 7 
to seep /uo- ^ ocjonriated with 

,00601 Each passive network attribute may be associate 
(00601 P „p„ork attribute identity confidence 

one or more passive network attriD „,.f„ork 
modifiers 4i4 ,Klgure 4,, for exa^le, ^^^^^^J^^l^^^^^^ 
attributes PNA. and PNA3 may have --"^^^J^ 

network attribute identity confidence ^^^ ^^^J^^^, 

and ™a ... A match^bet^en ^^^^^^^^ 
attributes may increase confidence in P „ ,,..^^3 

network Identification. Some Identity -"--^ ' 

that is, positive ^^TZT^Tzi::::: ^^^^^ 

.sued network attributes TdeLlty 

particular computer network identification. 

Lfidence modifiers, that Is, negative ^/^^^^^^ 
confidence modifiers, are Intended to be ^PP^-^ J ^ ^ 
. mismatch between current and Issued '^l^^^^ 
passive network attribute may be associated with a p 
Tnl^atlve passive network attribute identity confidence 

'^T' At step 708, the positive passive network attribute 
[00611 At step , associated with the 

rnrcrnfiaence associated with the candidate network 
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identifier. At step 710, the negative passive network 
attribute identity confidence modifier (-ve PNA ICM) assocxated 
with the candidate passive network attribute is applied to the 
current identity confidence associated with the candidate 

network identifier. 

[00621 in an enfcodiment o£ the invention, identity 
confidence modifiers 414, 416 and 418 (Figure 4) ,nay set the 
current identity confidence to a particular value or to a 
result o£ a function of the current identity confidence, for 
exati.le, to the result of a linear transformation of the 
current identity confidence. For example, an identity 
confidence modifier for the IP subnet passive network attribute 
„ay be -set current identity confidence to 50%." A positive 
identity confidence modifier for the authentication domain name 
passive network attribute may be "add 20% to the current 
Identity confidence," A negative identity confidence modrfiar 
for the authentication domain name passive network attribute 

be "subtract 20% from the current identity confidence." A 
negative identity confidence modifier for the IP subnet 
specification passive network attribute may be "set the current 
identity confidence to 0%." Identity confidence modifiers 414, 
416 and 418 may also be null modifiers, that is, may have no 
effect Whan applied to the current identity confidence. 
[00631 At step 712, it is determined if there are more 
passive network attribute candidates for the candidate network 
identifier. If there are more passive network attribute 
candidates then the procedure returns to step 704. Otherwise, 
the procedure progresses to step 714. At step 714, it is 
determined if there are more issued network identifier 
candidates. If there are more issued network identifier 
candidates to be considered for the computer network then the 
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procedure returns to step 702. Otherwise, the passive network 
attribute identity confidence modifiers 414 (Figure 4) have 
been applied to the current identity confidences 412. 
Equivalent procedures are possible, as will be apparent to one 
of skill in the art, for example, step 706 may be understood as 
a decision operation for traversing an identity confidence 
evaluation tree. 

[0064] Figure 8 depicts example steps for applying learned 
identity confidence modifiers to current identity confidences 
in accordance with an embodiment of the invention. At step 
802, a next issued network identifier (NID) from the set of 
issued network identifiers 402 (Figure 4) is selected as 
candidate network identifier. At step 804, it is determined if 
the current identity confidence of the candidate network 
identifier is above the minimum learned modification identity 
confidence threshold. If the current identity confidence of 
the candidate network identifier is above the minimum learned 
modification threshold then the procedure progresses to step 
806. Otherwise, the procedure progresses to step 808. 
[0065] Each issued network identifier may have an associated 
learned identity confidence modifier as well as a current 
identity confidence. At step 806, the learned identity 
confidence modifier (LICM) associated with the candidate 
network identifier is applied to the current identity 
confidence of the candidate network identifier. In an 
embodiment of the invention, there is a current identity 
confidence ceiling, for example, 80%, beyond which the current 
identity confidence can not be raised by learned identity 
confidence modifiers. An example procedure for determining 
learned identity confidence modifiers in accordance with an 
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^ir.r. ic, described below with reference 
embodiment of the invention is describe 

to Figure 10. determined if there are more 

[00661 At step 808, it is d 

issued network identifier candidates. If there 

T^^^ the current identity 
418 (Figure 4) have been applied to the cur 

confidences 412. T,Hr.o active 

,00671 Figure 9 depicts exa„^le steps for applyrng act ve 

oL attribute identity ccfidence modifiers to cur.en 
^entity confidences in accordance with an e^bod.^ent of th 

ntion. TMs example procedure has si^iarities wxth t e 
example procedure descr.^ed w.th reference to ^ ; 

result aspects of the description with reference to Fxgure 
r^y apply to this example and vice versa. 

^ 0(19 a next issued network identifier tvi 
[00681 At step 902, a next in^ntifier Each 

(Ficure 4) is selected as a candidate network identifier. 

V ,d.ntitier may be associated with one or more 
issued network identifier may 

.ctive network attributes, e.g., ^om, and «.A.. At step 
next such active network attribute (ANA, is selected s 

u =hfribute The candidate active 
candidate active network attribute, in 

K has a current value in the current active 
::::: l^nd an issued vame associated With the 

^ri.ntifier in the issued active network 
candidate network identifier m 

toSrArltep 906, the current value of the candidate 
Live network attribute is — ^ ^ Tf there is 

----- "^^^ re^rir tribute and the 

:rd" ^^^^^^^^^^^^ - - --rrr 

.o step 908. Otherwise the procedure progresses to step 
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[0070, AS for passive network attributes, each active 
„et«rK attribute ™ay be associated with one or .ore act.ve 
network attribute identity confidence nodif.ers 416 ,P gure 
So„e active network attribute identity confidence^drf ers ^y 
^ positive active network attribute identity 
modifiers ,.ve ^ XCM, , to be applied as a resul of a ^tch 
between current and issued active network attributes. Some 
active network attribute identity confidence .odif.ers ™ay be 
nelive active network attribute identity confidence .od.f.ers 
Te ™. IC«, , to be applied as a result of a ™is.atch between 
...rent and issued active network attributes. — 
active network attribute -y be associated wrth actrve 

network attribute identity confidence .odif.er «e c. , 

active network attribute MA. may be associated wrth active 
netwlrk attribute identity confidence modifiers .ve AHA .CM, and 

"aI- step . positive active network attribute 

dentity confidence modifier associated with the candidate 
Ltive network attribute is applied to the ^^^^ 
confidence associated with the candidate network ident fxer. 
.t step 910, a negative active network attribute identity 
confidLe ™^ifier associated with the 

network attribute is applied to the current identity confidence 
TsLiated with the candidate network identifier. An exan^le 
oeitive active network attribute identity confidence modifier 
for the authentication state (with a particular remote 

thentication server, active network tribute is ^set he 
current identity confidence to 100%." An --P^J ^ 
active network attribute identity confidence modifier or 
irthentication state active network attribute is "set the 
current identity confidence to 0%." 
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[0072] At step 912, it is determined if there are more 
active network attribute candidates for the candidate network 
identifier. If there are more active network attribute 
candidates then the procedure returns to step 904. Otherwise, 
the procedure progresses to step 914. At step 914, it is 
determined if there are more issued network identifier 
candidates to be considered for the computer network. If there 
are more issued network identifier candidates then the 
procedure progresses to step 902. Otherwise, the active 
network attribute identity confidence modifiers 416 (Figure 4) 
have been applied to the current identity confidences 412. As 
will be apparent to one of skill in the art, procedures 
equivalent to the described example are possible, for example, 
step 906 may be understood as a branching decision for 
traversing an identity confidence evaluation tree. 
[0073] Passive network attributes for a particular computer 
network may become available before active network attributes. 
It may be that high network identity confidence, e.g., 100%, 
can not be obtained without active network attributes, for 
example, it may be that passive network attributes are 
insecure, or it may simply be policy that high confidence 
network identification includes confirmation by active network 
attributes. In order to provide accurate network identity 
confidences independent of active network attributes, learned 
identity confidence modifiers 418 (Figure 4) may be applied to 
current identity confidences 412. 

[0074] Learned identity confidence modifiers 418 may begin 
as a default identity confidence modifier, for example, as a 
null modifier. If active network attributes, once they become 
available, confirm a particular identity confidence 
determination made independently of active network attributes 
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then the associated learned Identity confidence modifier may be 
augmented, that is. transformed so that, when applied, the 
learned identity confidence modifier will result in hxgher 
identity confidence values. If active network attributes 
oontradlct the particular identity confidence determination 
^de independently of active network attributes '^-^'^^ 
associated learned identity confidence modifier may be reduced, 
that is, transformed so that, when applied, the learned 
identity confidence modifier will result in lower identity 
confidence values. For exan^le, the learned identity 
confidence modifier may modify the identity confidence by 
adding the value of a learned variable to the identity 
confidence value. To augment such a learned identity 
confidence modifier, an augmentation constant ..y be added 
the learned variable. To reduce such a learned identity 
confidence modifier, the augmentation constant may be 
subtracted from the learned variable. In an embodiment of the 
invention, learned identity confidence modifiers 418 are 
adjusted so as to minimize the difference between current 
identity confidences 41= as determined before and after active 
network attributes become available for a particular computer 
network . 

[00751 Figure 10 and Figure 11 depict example steps in 

accordance with an en^odiment of the invention for updating 

learned identity confidence modifiers as a result of newly 

available active network attributes. At step 1002 of Figure 

10 one or more active network attributes have become newly 

available. For exanple, the network fingerprinting component 

-.^ mav be notified by the network location 
310 (Figure 3) may ce nooii-j-cv* j 

awareness component 308 of the new availability of active 
network attributes to which the network fingerprinting 
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..... 3.0 e...... Be.o.e 

— -Tz:i:rz:. :.zl.s .... ne«. 

4-v>^ f-ir-Qt time tnac acuxvc 

raure ..nee ..e cu..ene .aenU.. ccn.aencee ... we.e .a. 

. . ^ont of active network attributes, 
calculated independent of act ^^^^^^ 310 

100761 For exarnple, the indicators 422 

- :: :: te cCed .ndltors .20. 1. 

inrtrotrn:!. att^^te c.an.ed indicators . lees 

r::., .s an eamer t„, rr^:! rtiLd 

— .^'"r rs^tt^t^^^^^^^^^^^^^ attrl.tes .a.e 

::rie emce t. o^rent --t. c..dencee 

— Tterrtr: rr:::::\:::=^^^^ 

attributes I . procedure progresses 

progresses to step luui. 

to step 1006. ^^^^^^^ 

,007,1 At etep 1004 a copy independent of 

1 -liable active network attributes. At step 

nliirac ive networ. attribute changed Indicators 422 
corresponding active n „n„„ step 1006 and 

are updated. In an e^odiment of the invention, step 

[0078] ''^'=t' Hf^Qrribed above with 

(Figure 4) are calculated, for example, as described 

r to Figure 5. The resulting current identity 
reference to Figure ^ - 

.12 (the new CICs) are updated to reflect 

— Provi:: by the ne«ly available active net.rK 
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attributes. At step 1012, the learned identity confidence 
modifiers 418 are adjusted by comparing the recorded identity 
confidences (the old, pre-ANA CICs) with the newly calculated 
current identity confidences (the new CICs) . If particular old 
and new identity confidence pairs compare poorly (e.g., have a 
high difference) then the corresponding learned identity 
confidence modifier may be adjusted so as to reduce the 
difference in future calculations. Learned identity confidence 
modifiers associated with particular old and new identity 
confidence pairs that compare well (e.g., have a low 
difference) may remain unadjusted. 

[0079] Figure 11 depicts example steps for updating learned 
identity confidence modifiers in accordance with an embodiment 
of the invention. For example, the steps depicted in Figure 11 
may be utilized to perform step 1012 of Figure 10. At step 
1102, a next issued network identifier is selected as candidate 
network identifier. At step 1104, the current identity 
confidence (one of the new CICs) of the candidate network 
identifier is compared to a minimum learning identity 
confidence threshold. If the current identity confidence of 
the candidate network identifier is above the minimum learning 
identity confidence threshold, e.g., 0%, then the procedure 
progresses to step 1106. Otherwise the procedure progresses to 
step 1108. 

[0080] At step 1106, the newly calculated (i.e., as 
described above with reference to Figure 10) current identity 
confidence of the candidate network identifier is compared to 
the recorded identity confidence (i.e., the old, pre-ANA CIC) 
of the candidate network identifier. If the (new) current 
identity confidence compares well with (e.g., matches) the 
recorded (old) identity confidence then no adjustment to the 
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learned identity confidence modifier is desirable and the 
procedure progresses to step IIOS. « the recorded .den ty 
Ln«de„ce is less than the current identity ---"-J;; 

.e desirable to anient the learned identity conf dence 
Ji.ier and the procedure progresses to step 11.0. U the 
recorded identity confidence is greater than the curren 
Identity confidence then it .ay he desirable to reduce the 
learned identity confidence .^difier and the procedure 
progresses to step 1112. 

^00811 At step 1110, the learned identity confidence 

d. ier Of the candidate networ. identifier .ay ^^^^ 
,e g., linearly) so that, the next ti.e it rs applied, a higher 
.urrent identity confidence results. For ^ 
learned identity confidence modifier before step HI xs add 

0. to the current identity confidence- then " 
the learned identity confidence modifier .ay be "add 40. 
ourrent identity confidence." At step Ul., the learned 
identity confidence modifier of the candidate network 
laentny , ,„ „ linearly) so that, the next 

identifier may be reduced (e.g., linearly) 

time it is applied, a lower current identity 

::::::: :::: iLr step the .amed identity 

"cnbtract 40% from the current 
confidence modifier may be subtract 

identity confidence." 

At step lies, it is determined if there are more 
issued network identifier candidates. If there are more 
oandidate network identifiers then the procedure returns to 
step 1102. Otherwise, the learned identity confidence 

. ,11 have been adjusted in accordance with 
modifiers 418 (Figure 4) have been a j 

an embodiment of the invention. 
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[0083] All references, including publications, patent 
applications, and patents, cited herein are hereby incorporated 
by reference to the same extent as if each reference were 
individually and specifically indicated to be incorporated by 
reference and were set forth in its entirety herein. 
[0084] The use of the terms «a" and "an" and "the" and 
similar referents in the context of describing the invention 
(especially in the context of the following claims) are to be 
construed to cover both the singular and the plural, unless 
otherwise indicated herein or clearly contradicted by context. 
The terms "comprising," "having," "including," and "containing" 
are to be construed as open-ended terms (i.e., meaning 
"including, but not limited to,") unless otherwise noted. 
Recitation of ranges of values herein are merely intended to 
serve as a shorthand method of referring individually to each 
separate value falling within the range, unless otherwise 
indicated herein, and each separate value is incorporated into 
the specification as if it were individually recited herein. 
All methods described herein can be performed in any suitable 
order unless otherwise indicated herein or otherwise clearly 
contradicted by context. The use of any and all examples, or 
exemplary language (e.g., "such as") provided herein, is 
intended merely to better illuminate the invention and does not 
pose a limitation on the scope of the invention unless 
otherwise claimed. No language in the specification should be 
construed as indicating any non-claimed element as essential to 
the practice of the invention. 

[00851 Preferred embodiments of this invention are described 
herein, including the best mode known to the inventors for 
carrying out the invention. Variations of those preferred 
embodiments may become apparent to those of ordinary skill in 
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the art upon reading the foregoing description. The inventors 
expect skilled artisans to employ such variations as 
appropriate, and the inventors intend for the invention to be 
practiced otherwise than as specifically described herein. 
Accordingly, this invention includes all modifications and 
equivalents of the subject matter recited in the claims 
appended hereto as permitted by applicable law. Moreover, any 
combination of the above-described elements in all possible 
variations thereof is encompassed by the invention unless 
otherwise indicated herein or otherwise clearly contradicted by 
context . 



